Security News > 2022 > September > Stealthy hackers target military and weapons contractors in recent attack
Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.
The campaign stands out for its secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.
The phishing email targeting employees includes a ZIP attachment that contains a shortcut file, which, upon execution, connects to the C2 and launches a chain of PowerShell scripts that infect the system with malware.
The obfuscation techniques seen by Securonix analysts are reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.
If all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for ".
After the PowerShell stager completes the process, an AES-encrypted final payload is downloaded from the C2. "While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis," explains the researchers.
News URL
Related news
- Chinese hackers targeted sanctions office in Treasury attack (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- Google says hackers abuse Gemini AI to empower their attacks (source)
- Spain arrests suspected hacker of US and Spanish military agencies (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- Russian military hackers deploy malicious Windows activators in Ukraine (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)